SKIP UPGRADE CHECK Resolve "Convert Chart to Passthrough"
General MR
Summary
This MR converts the keycloak chart to the passthrough pattern. Considerable changes are included. The documentation has been significantly refactored. Unused and redundant docs and values have been removed.
Umbrella Branch
keycloak-243-convert-to-passthrough
Test Values
This MR has been written in tandem with changes present in the keycloak-243-convert-to-passhthrough branch in Big Bang umbrella. When testing, make sure you're using that branch.
helm upgrade --install bigbang ./chart \
--debug \
--namespace bigbang \
--create-namespace \
--values ignore/ib_creds.yaml \
--values tests/test-values.yaml \
--values chart/ingress-certs.yaml \
--values <(cat << YAML
sso:
saml:
# This line will be an empty string on first apply, but apply again after KC is up and it should populate
metadata: $(curl --connect-timeout 1s -fsSL https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml/descriptor || echo "")
monitoring:
sso:
enabled: true
grafana:
sso:
enabled: true
kiali:
sso:
enabled: true
values:
upstream:
cr:
spec:
auth:
strategy: openid
addons:
authservice:
enabled: true
sonarqube:
enabled: true
sso:
enabled: true
mattermost:
enabled: true
sso:
enabled: true
values:
elasticsearch:
enabled: false
mattermostEnvs:
MM_GITLABSETTINGS_SCOPE: openid
keycloak:
enabled: true
git:
tag: null
branch: 243-convert-chart-to-passthrough
YAML
)What has been tested
| App | Tested | Working (CAC) | Working (non-CAC) |
|---|---|---|---|
| Grafana | |||
| Prometheus | |||
| Alertmanager | |||
| Kiali | |||
| Mattermost | |||
| Sonarqube |
A Big Bang MR is available that demonstrates a passing Clean Install pipeline. Unforunately, upgrade pipelines will always fail due to the jump in postgres major versions for the bundled postgres chart. Enabling the bundled chart is not a supported production configuration so this is not a concern.
Linked Issue
Closes #237 (closed)
Closes #228 (closed)
Upgrade Notices
This release of Keycloak completely migrates the chart to the passthrough pattern. With that migration come considerations for Big Bang users that rely on the Keycloak chart.
Shifting values
Values that traditionally have been used to configure the keycloak components of the chart are now available under the upstream key:
- resources:
- requests:
- cpu: "1"
- memory: "1Gi"
- limits:
- memory: "1Gi"
+ upstream:
+ resources:
+ requests:
+ cpu: "1"
+ memory: "1Gi"
+ limits:
+ memory: "1Gi"
Removal of the *BigBang values
The old chart had big-bang-specific values fields (like extraVolumeMountsBigBang and extraVolumesBigBang) that were created to smooth over a limitation of the upstream chart's extraVolumeMounts and extraVolumes.
Those two fields are expected to be strings and are templated in the upstream chart and converted to yaml. This allows things like:
extraVolumes: |-
- name: tlscert
secret:
secretName: {{ include "keycloak.fullname" . }}-tlscert
- name: tlskey
secret:
secretName: {{ include "keycloak.fullname" . }}-tlskeyto be created in the actual pod spec as:
- name: tlscert
secret:
defaultMode: 420
secretName: keycloak-upstream-tlscert
- name: tlskey
secret:
defaultMode: 420
secretName: keycloak-upstream-tlskeyThe problem that was being solved is these strings don't overlay correctly. The final overlay that set extraVolumes was always the "winner" and only its configuration would make it into the final templates.
Since the passthrough pattern no longer affords us the ability to affect the final templates for the keycloak StatefulSet, consumers of this package must take care to ensure the final of any of these "yaml string literal" values include all the desired contents.
Major Version Change for Bundled Postgres
The bundled postgres chart has been upgraded to the latest bitnami chart. For consumers using the bundled postgres chart, be advised this is not a supported configuration in production. If you are using the bundled chart, take steps to migrate to an external database implementation prior to attempting this upgrade.